Loading and managing third-party tools on a website

ABSTRACT

Managing the loading of third-party tools on a website is described. Configuration is received for loading the third-party tools. An intermediary server receives a request for a page that is hosted at an origin server. The intermediary server retrieves the page and modifies the page including automatically including a third-party tool manager to the retrieved page. The third-party tool manager includes a set of one or more client-side scripts that, when executed by the client network application, collects and transmits information to the intermediary server for loading the third-party tools. The intermediary server loads the third-party tools based on the received information and the configuration. The intermediary server causes event data to be transmitted to third-party tool servers that correspond with the third-party tools.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No.63/265,089, filed Dec. 7, 2021, which is hereby incorporated byreference.

FIELD

Embodiments of the invention relate to the field of websites; and morespecifically, to the loading and managing of third-party tools on awebsite.

BACKGROUND

Websites commonly include third-party tools such as analytics tools,conversion pixels, chat widgets, maps, etc. Tag managers exist that areused to load and manage such third-party tools. A tag manager mayinclude a dashboard that allows a user to configure which tools load andwhen. An example configuration may be that a first tool loads on pagesstarting with “/support” and a second tool loads on pages starting with“/store”. This configuration is put in a script file (e.g., JavaScript)that is loaded by browsers when visiting that website.

This script file includes all tools and rules and evaluates each rule todetermine which tool to execute when. Typically, the script tags ofthese tools are appended to the DOM of the page which causes the browserto fetch and execute the scripts. Many scripts of third-party tools inturn call one or more other scripts. These scripts commonly collectinformation and transmit that information to an endpoint on athird-party server.

It is common for websites to have multiple third-party tools running.These tools each query for the information they want and send theircollected information to the third-party server. The website canexperience a slowdown when many of these tools are running. Further,since most third-party tools ask for remote JavaScript resources, it isdifficult for a website operator to keep track of what is being includedon their website, and many of these tools call other third-partyresources, or redirect HTTP requests to other endpoints. Runningthird-party scripts exposes a security risk if one of those third-partyscripts contains malicious code.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention may best be understood by referring to the followingdescription and accompanying drawings that are used to illustrateembodiments of the invention. In the drawings:

FIG. 1 shows an exemplary system for loading and managing third-partytools on a website according to an embodiment.

FIG. 2 illustrates an exemplary system for loading and managingthird-party tools on a website according to an embodiment.

FIG. 3 is a flow diagram that illustrates exemplary operations formanaging and loading third-party tools on a website according to anembodiment.

FIG. 4 is a flow diagram that illustrates exemplary operations forloading third-party tools on a website according to an embodiment.

FIG. 5 is a block diagram illustrating a data processing system that canbe used in an embodiment.

DESCRIPTION OF EMBODIMENTS

Loading and managing third-party tools on a website is described. Awebsite owner or operator uses an interface to configure which one ormore of multiple third-party tools to load on the website and optionallysettings for loading the one or more third-party tools will load. Thethird-party tools may be provided by multiple third-party providers. Thethird-party tools can include analytics tools, conversion pixels, chattools, widgets, maps, etc. This configuration is saved to a database. Arequest for a page of the website is received at an intermediary server.The intermediary server retrieves the page, automatically adds athird-party tool manager to the page, and transmits the modified page tothe requesting client. The third-party tool manager may include one ormore client-side scripts (e.g., JavaScript(s)). The third-party toolmanager can be added inline or through a reference to the third-partytool manager (e.g., including script tag(s) that reference thescript(s)). The third-party tool manager is operable to, when executedby the client network application, cause information to be transmittedto the intermediary server for loading the third-party tool(s) accordingto the configuration defined by the website operator. The intermediaryserver loads the third-party tool(s) based on the received informationand according to the configuration defined by the operator. In anembodiment, the third-party tools are loaded entirely remotely from theclient (e.g., on the cloud) without any corresponding third-party toolscripts running on the client.

In an embodiment, the received information may be scanned for violationsof a data loss prevention (DLP) policy defined in the third-party toolconfiguration. If there is a violation, the intermediary server takes anaction (e.g., remove the offending data, obfuscate the offending data,notify the operator of offending data, log the offense).

In an embodiment, if there is a third-party tool that is configured tobe managed by the third-party tool manager and included on the retrievedpage, the intermediary server removes or neutralizes that third-partytool such that the client network application does not execute thatthird-party tool.

The third-party tool manager described herein provides the functionalityof the third-party tools to the website without the correspondingthird-party scripts from running directly on the client networkapplication. This reduces the security risk involved in usingthird-party tools. For instance, since the third-party tools are notbeing directly executed by the client network application but areinstead being executed at an intermediary server, the system can scanthe code that is being executed and verify that the code has not beentampered with.

Moving the execution of third-party scripts away from the clientimproves page loading times. For instance, less code is running on theclient and less requests are made from the browser. The client does notneed to download, parse, and execute these third-party scripts; and doesnot complete or even block the rendering and/or interactivity of thepage.

Further, it also creates an extra layer of security and control overPersonal Identifiable Information, Protected Health Information, orother sensitive or unwanted pieces of information that are oftenunintentionally passed to third-party vendors.

FIG. 1 shows an exemplary system for loading and managing third-partytools on a website according to an embodiment. The system includes aclient device 110, an intermediary server 120, an origin server 130, aconfiguration server 150, and one or more third-party tool servers 160.The client device 110 is a computing device (e.g., laptop, desktop,smartphone, tablet, gaming system, set top box, wearable device, etc.)that is capable of transmitting and receiving network traffic. Theclient device 110 includes a client network application 115, such as abrowser, that accesses network resources. The origin server 130 is acomputing device that may serve and/or generate network resources (e.g.,web pages, images, word processing documents, PDF files, movie files,music files, or other computer files) for the website 135. The websiteoperator 165 owns and/or operates the website 135.

The intermediary server 120 is a computing device that is situatedbetween the client device 110 and the origin server 130. Theintermediary server 120 receives and processes network traffic such asrequests for resources of the website 135 hosted at the origin server130 (e.g., HTTP/s requests/responses, SPDY requests/responses, etc.). Inan embodiment, the intermediary server 120 is a reverse proxy server. Aswill be described in greater detail later herein, the intermediaryserver 120 manages the loading of third-party tools for a website.

The configuration server 150 includes a third-party tool configurationmanager 155 that allows the website operator 165 to configure theloading and managing of one or more third-party tools for the website135 at operation 1.1. The third-party tools may be provided by multiplethird-party providers. The third-party tools can include analyticstools, conversion pixels, chat widgets, maps, etc.

The third-party tool configuration manager 155 may be a dashboard thatallows the website operator 165 to select third-party tools from athird-party tool catalog. The functionality of the third-party tool(s)that are selected by the website operator 165 are provided to page(s) ofthe website 135 without requiring those third-party tool(s) beoriginally included on the page(s) and/or executed by the client networkapplication. Thus, in an embodiment, third-party scripts of thethird-party tools are not executed on the website thereby preventingthose scripts from slowing down the website and reducing or eliminatingthe security risk of loading the third-party scripts on the website.

The third-party tool configuration manager 155 may allow the websiteoperator 165 to configure the settings that apply to each selectedthird-party tool. The settings may be different for differentthird-party tools. For example, different third-party tools may havedifferent requirements for sending information. As another example, somethird-party tools may require the operator to have an account for thattool or service and provide an account identifier. In such a case thethird-party tool configuration manager 155 allows the website operator165 to provide the account identifier.

The settings may define how and/or when the third-party tool should beloaded by the intermediary server 120. Examples include server-to-servercommunication loading, optimized script loading, geolocation loading,selective loading, facades, deferring loading, page loading, requestbundling, and script inlining The third-party tool loading techniquesand timing techniques may be combined.

Regarding server-to-server communication loading, some third-party toolsallow information to be sent directly to their third-party tool server,such as through an API or other structured interface for receiving data.This is sometimes referred herein as server-to-server communication. Insuch a case, the intermediary server 120 may execute the third-partytool and transmit the event information to the third-party serverwithout further interaction with the client network application 115. Theintermediary server 120 may adapt the structure of the event informationcollected from the client network application 115 to the format expectedby the third-party tool server. In this case, the client networkapplication 115 does not execute a script of the third-party tool. Notall third-party tools support server-to-server communication. Thethird-party tool configuration manager 155 may provide theserver-to-server communication loading configuration option only forthose third-party tool(s) that support server-to-server communication.

Optimized script loading includes the intermediary server 120 mimickingthe behavior of the third-party tool including constructing a requestwith the information to send to the third-party tool server and sendingan optimized client-side script to the client network application 115that, when executed, sends the information to the third-party toolserver. This may be done if the third-party server does not supportserver-to-server communication. Although in this case the client networkapplication 115 executes a script, the client network application 115does not execute a third-party script. The execution of the optimizedclient-side script is typically faster than executing the originalthird-party tool script. For instance, often executing the originalthird-party tool script includes constructing the URL which may includehashing, encrypting, and/or other intensive computations, which are notperformed when executing the optimized client-side script. Thethird-party tool configuration manager 155 may provide the optimizedscript loading configuration option to all third-party tools.

The intermediary server 120 may be configured to load differentthird-party tools and/or versions of third-party tools based ongeolocation of the client network application 115 (e.g., based on amapping of the source IP address of the request to a location, throughuse of GPS or other geolocation). For instance, the intermediary server120 may load a version of a third-party tool for clients determined tobe in the United States and may load a second version of the third-partytool for clients determined to be outside of the United States. Thethird-party tool configuration manager 155 may provide the geolocationloading configuration option to all third-party tools.

As another example, the intermediary server 120 may be configured toselectively load a third-party tool for only a certain percentage ofvisits (e.g., a sampling of a set of visitors). Unlike conventionalsolutions where the third-party script is delivered to the clientnetwork application 115 and parsed by the client network application 115even when not executed, the intermediary server 120 does not load thethird-party tool when it is not needed. The third-party toolconfiguration manager 155 may provide the selectively loadingconfiguration option to all third-party tools.

The intermediary server 120 may be configured to load a facade of thethird-party tool, which is a lighter-weight version of the third-partytool that loads only when the client network application 115 reachesinteractivity or upon user activity. A third-party tool facade may beloaded for a widget, such as a chat board, for example. The facade mayinclude what is essential to be displayed, but the functionality of thetool does not load until the page is finished loading or the user triesto interact with the tool. At that point, the third-party tool facade isreplaced with the script of the third-party tool. The third-party toolconfiguration manager 155 may provide the facade loading configurationoption to third-party tools that include a visual component on the page.

The intermediary server 120 may be configured to delay loading of athird-party tool until a certain point in the interactivity of thewebsite (e.g., a few seconds after a DOMLoaded event). For instance, thethird-party tool may not be loaded until the page has finished loadingor upon user activity. In an embodiment, the intermediary server 120prebuilds any necessary outgoing request(s) and transmits them if thepage is exited (e.g., the tab is closed) before the delay window hasfinished. The third-party tool configuration manager 155 may provide thedelay loading configuration option to all third-party tools.

The intermediary server 120 may be configured to load a third-party toolat the page load time. The third-party tool configuration manager 155may provide the page loading configuration option to all third-partytools.

The intermediary server 120 may be configured to create a single bundledscript for the page by fetching required assets (e.g., prefetching thoseassets) thereby saving the client network application 115 from makingseparate requests.

The intermediary server 120 may be configured to write the third-partytools inline into the page. The third-party tool configuration manager155 may provide the inline configuration option to all third-partytools.

The third-party tool configuration manager 155 can allow the operator todefine a set of one or more rules that need to apply for the event to betriggered (e.g., the loading of the script). A trigger may be based onan activity occurring on the page. For instance, a trigger may bedefined when a particular button is clicked on the page.

The third-party tool configuration manager 155 may allow the websiteoperator 165 to define a custom tool. The custom tool is not athird-party tool. For instance, a custom IMG tag may be created wherethe custom tool that is being added is using an <img> tag. This is animage (e.g., a pixel) that collects data when the client networkapplication makes a request for that image from a particular URL. Asanother example, a custom HTML tool may be created when the custom toolthat is being added is a <script> tag. The third-party toolconfiguration manager 155 may allow the operator to define when the toolwill be loaded (e.g., deferring, on page load, immediate). Thethird-party configuration manager 155 may allow the operator to definethe trigger for loading the custom tool.

In an embodiment, the third-party tool configuration manager 155 allowsthe website operator 165 to configure one or more data loss prevention(DLP) rules. Example DLP rules include checking for an email address,name, social security number, phone number, or other personallyidentifiable information (PII). The third-party configuration manager155 may allow custom rules to be generated (e.g., using regex). Thethird-party configuration manager 155 may allow the operator todetermine what type of action to take when a DLP rule is violated. Forexample, the violating information may be obfuscated or removed from theinformation. As another example, the operator may be notified (e.g.,email, text message) upon a violation.

The configuration of the third-party tools (the third-party toolconfiguration 157) is stored in a data structure that is available tothe intermediary server 120. The third-party tool configuration 157 maybe stored in a central location, such as the configuration server 150,and queried by the intermediary server 120. Alternatively, thethird-party tool configuration 157 may be transmitted to theintermediary server 120. As shown in FIG. 1 , the third-party toolconfiguration is sent to the intermediary server 120 at operation 1.2.

The intermediary server 120 manages the loading of third-party tool(s)for the website 135 according to configuration defined by the websiteoperator 165. The third-party tools can include analytics tools,conversion pixels, chat widgets, maps, etc. A request for a page of thewebsite 135 is received at the intermediary server 120 from the clientnetwork application 115 at operation 1.3. The request is received at theintermediary server 120 instead of the origin server 130. For instance,the domain of the page may resolve to an IP address of the intermediaryserver 120 instead of the origin server 130.

The intermediary server 120 retrieves the page from the origin server130. For instance, at operation 1.4, the intermediary server 120transmits a request for the page to the origin server 130 and receives,at operation 1.5, the requested page. The retrieved page may include oneor more third-party tools that have been configured by the operator 165to be loaded by the intermediary server 120. In such cases, theintermediary server 120 may remove those third-party tool(s) and/orcause those third-party tool(s) to not be executed by the client networkapplication 115. In other cases, the retrieved page does not include theone or more third-party tools that have been configured by the operator165 to be loaded by the intermediary server 120.

At operation 1.6, the third-party tool controller 122 of theintermediary server 120 automatically adds a third-party tool manager tothe page that is operable to, when executed by the client networkapplication 115, cause information to be transmitted to the intermediaryserver 120 for loading the third-party tool(s) according to theconfiguration defined by the website operator 165. For instance, thethird-party tool manager may be added to the head of the page (e.g.,within the <head> element of the page). The information may includeinformation collected from the client device 110 and/or the clientnetwork application 115 that is not included in HTTP requests or cannotbe derived from HTTP requests (e.g., screen resolution, viewport size).

The information may include event information such as if a certainconfigured interaction occurred with the page (e.g., a particular buttonwas clicked). The third-party tool manager may include one or moreclient-side scripts (e.g., JavaScript(s)). The third-party tool managercan be added inline and/or through a reference to the third-party toolmanager (e.g., including script tag(s) that reference the script(s)).Prior to adding the third-party tool manager to the page, thethird-party tool controller 122 may dynamically generate the third-partytool manager if it does not exist in cache available to the intermediaryserver 120. The third-party tool controller 122 may dynamically generatethe third-party tool manager depending on the third-party toolconfiguration 157, and the resulting third-party tool manager may bedifferent for different client network applications.

At operation 1.7, the intermediary server 120 transmits the requestedpage that includes the third-party tool manager to the client networkapplication 115 of the client device 110. The client network application115 executes the third-party tool manager.

FIG. 2 illustrates an exemplary system for loading and managingthird-party tools on a website according to an embodiment. Theoperations of FIG. 2 occur after the operations of FIG. 1 . In theexample of FIG. 2 , the client network application 115 has received thepage 210 that includes the third-party tool manager 215 from theintermediary server 120. The third-party tool manager collectsinformation for loading the configured third-party tools and transmitsthe information to the intermediary server 120 (e.g., the third-partytool controller 122). The third-party tool manager may collectinformation from the client device 110 and/or the client networkapplication 115 that is not included in HTTP requests or cannot bederived from HTTP requests. For instance, the third-party tool managermay determine the screen resolution of the client device 110 and/or theclient network application 115 if one of the tools configured for thewebsite requires the screen resolution to operate correctly. Thethird-party tool manager may also collect information from the clientdevice 110 and/or the client network application that is included inHTTP requests or derived from HTTP requests. The information may includeevent information such as if a certain configured interaction occurredwith the page (e.g., a particular button was clicked). This informationmay be used during execution of third-party tools. As shown in FIG. 2 ,the third-party tool manager 215 transmits the information at operation2.1 to the third-party controller 122.

The third-party tool controller 122 receives and processes theinformation at operation 2.2. The third-party tool controller 122determines, based on the third-party tool configuration 157 and thereceived information, what third-party tools to load and the settingsfor loading the tools. In an embodiment, the third-party controller 122may also, using the DLP manager 220, scan the data for any violations ofa DLP policy defined in the third-party tool configuration 157 and takethe defined actions if there is a violation (e.g., remove the offendingdata, obfuscate the offending data, notify the operator of offendingdata, log the offense). The DLP manager 220 may analyze the request URLof the event information to determine if there is a violation of a DLPpolicy. The DLP manager 220 may analyze the content of the data (e.g.,form data) to determine if the content includes a violation of a DLPpolicy. The DLP manager 220 may mask or obfuscate IP address informationthat is included in the received data.

The execution of some third-party tools may be completed by theintermediary server 120 without further interaction from the clientnetwork application 115. For example, if a third-party tool server 160supports server to server communication, the intermediary server 120 cantransmit the information directly to that third-party tool server 160.In the example of FIG. 2 , the third-party tool server 160A supportsserver-to-server communication for a third-party tool that is loaded bythe third-party tool controller 122. The third-party tool controller 122can transmit the processed event information for that third-party toolto the third-party tool server 160A at operation 2.3A, without furtherinteraction from the client network application 115.

If server to server communication is not supported or not configured fora particular third-party tool, the intermediary server 120 may constructa URL to which the client network application 115 is to transmit theinformation, and an optimized client-side script that replicates thefunctionality of the original client-side script. In the example of FIG.2 , the third-party tool controller 122 prepares the event reportingincluding constructing the URL at operation 2.3B and transmits theoptimized client-side script to the client network application 115 atoperation 2.4B. The optimized client-side script is configured to, whenexecuted, cause the client network application 115 to transmit theprocessed event information to the third-party tool server 160B atoperation 2.5B. The client network application 115 executes theoptimized client-side script to send the information to the third-partytool server 160B.

The third-party tool manager may also control how the third-party toolsare loaded based on triggers, which may be defined by the customer.Trigger evaluation may occur on the third-party tool manager and/or theintermediary server 120. A trigger may be based on an activity occurringon the page. For instance, a trigger may be defined when a particularbutton is clicked on the page. Upon the activity occurring, in anembodiment the third-party tool manager transmits the indication of theactivity to the intermediary server 120 and any other requiredinformation. The intermediary server 120 executes the third-partytool(s) associated with the trigger. Executing the third-party tool(s)is based on the third-party tool configuration 157 and the information,including whether to filter the data. Executing the third-party tool(s)may include transmitting the event information directly to thethird-party tool server or causing the client to transmit theinformation to the third-party tool server as previously described.

Although embodiments have been described where a third-party toolmanager is added to the page for managing the loading of third-partytools, in some cases the third-party tool manager is not included in thepage. For instance, a third-party tool (or custom tool) may collectevent information from the request itself or that can be derived fromthe request. For instance, the intermediary server 120 may receive arequest for the page and use the information in the request for thethird-party tool (e.g., page view, visit).

To provide an example of loading a third-party tool, consider theloading of a tracking pixel third-party tool that tracks page views thatrelies on cookies. When a client network application accesses a websitethat is configured to include the tracking pixel, the third-party toolcontroller 122 of the intermediary server 120 automatically adds athird-party tool manager to the page that is operable to provideinformation for loading the tracking pixel. For instance, thethird-party tool manager may collect information about the visit such asthe page visited, the type of client network application, the type ofdevice, any cookies that are set, etc. The third-party tool controller122 determines whether a cookie is included for the tracking pixel. Ifsuch a cookie is included, and assuming that the third-party tool serversupports server-to-server communication, the third-party tool controller122 transmits the page view event with the cookie value to thethird-party tool server of the tracking pixel third-party tool. If sucha cookie is not included, the third-party tool controller 122 generatesan optimized version of the tracking pixel third party tool script andtransmits it to the client network application 115. The optimizedversion of the tracking pixel third-party tool script may be optimizedto not be executed by the client network application until the websitereaches interactivity or if the user exits the website prior to thescript executing. When the script executes, a cookie is created and sentto the intermediary server 120. The intermediary server 120 may thentransmit the page view event with the cookie value to the third-partytool server.

In an embodiment, the third-party tool controller 122 of theintermediary server 120 is run in a serverless execution environment.For instance, the third-party tool controller 122 may be executed in anexecution environment in which a single process can safely runthird-party code. The process can contain multiple executionenvironments at the same time and the process can seamlessly switchbetween them. Code in one execution environment cannot interfere withcode running in a different execution environment despite being in thesame process. The execution environments are managed in user-spacerather than by an operating system. Each execution environment uses itsown mechanism to ensure safe memory access, such as preventing the codefrom requesting access to arbitrary memory (restricting its use to theobjects it has been given) and/or interpreting pointers within a privateaddress space that is a subset of an overall address space. Thisexecution environment may not be a container or virtual machine. Forpurposes of description, this type of execution environment is sometimesreferred herein as an isolated execution environment. In a specificimplementation, the execution environment is an isolate of the V8JavaScript engine. In an embodiment, each third-party tool that isexecuted by the third-party tool controller is executed in its ownisolated execution environment.

FIG. 3 is a flow diagram that illustrates exemplary operations formanaging and loading third-party tools on a website according to anembodiment. The operations of FIG. 3 and other flow diagrams aredescribed with respect to the exemplary embodiments of FIGS. 1 and 2 .However, the exemplary embodiments of FIGS. 1 and 2 can performoperations different from those of FIG. 3 and the other flow diagrams,and the operations of FIG. 3 and the other flow diagrams can beperformed by different embodiments from those in FIGS. 1 and 2 .

At operation 310, the system receives configuration for loading andmanaging one or more third-party tools for a website. With respect toFIG. 1 , the configuration server 150 receives the configuration fromthe website operator 165 for the website 135 through use of thethird-party tool configuration manager 155. The configuration may besimilar to the configuration described with respect to FIG. 1 . Theconfiguration is stored in the configuration server 150 and/or theintermediary server 120.

Next, at operation 315, the intermediary server 120 receives a requestfor a web page of the website 135. The request is received at theintermediary server 120 instead of the origin server 130. Next, atoperation 320, the intermediary server 120 retrieves the requested webpage. Retrieving the requested web page may include transmitting arequest for the page to the origin server 130 and receiving a responseincluding the web page if the web page is not in a cache available tothe intermediary server 120. If the web page is in cache available tothe intermediary server 120, the web page may be retrieved from thecache.

At operation 325, the intermediary server 120 accesses the third-partytool configuration that is applicable for the requested web page todetermine the third-party tool(s) to be loaded for the page. Next, atoperation 330, the intermediary server 120 analyzes the web page anddetermines at operation 335 whether the web page includes third-partytool(s) that are being managed. To say it another way, the intermediaryserver 120 determines whether the page already includes a third-partytool that has been configured to be managed by the service. If the webpage does include such a third-party tool, then at operation 340 theintermediary server 120 removes those third-party tool(s) or causes themto not be executed by the client network application 115 (e.g., changingthe script tag so that the third-party tool is not executed). Flow thenmoves to operation 345. If the web page does not include such athird-party tool, then operation 345 is performed.

At operation 345, the intermediary server 120 adds a third-party toolmanager to the page. The third-party tool manager can be added inline orthrough a reference to the third-party tool manager (e.g., includingscript tag(s) that reference the script(s) of the third-party toolmanager). Prior to adding the third-party tool manager to the page, theintermediary server 120 may dynamically generate the third-party toolmanager if it does not exist in cache available to the intermediaryserver 120. The intermediary server 120 may dynamically generate thethird-party tool manager depending on the third-party tool configuration157, and the resulting third-party tool manager may be different fordifferent client network applications. The third-party tool manager maybe a set of one or more client-side scripts that, when executed by theclient network application 115, collects and transmits information tothe intermediary server 120 for loading the configured third-partytool(s). For example, the information may include information collectedfrom the client device 110 and/or the client network application 115that is not included in HTTP requests or cannot be derived from HTTPrequests (e.g., screen resolution, viewport size). The information mayinclude event information such as if a certain configured interactionoccurred with the page (e.g., a particular button was clicked). Atoperation 350, the intermediary server 120 transmits the modified pageincluding the third-party tool manager to the requesting client networkapplication 115.

In an embodiment, in addition to or in lieu of adding the third-partytool manager to the page, the intermediary server 120 may automaticallyinject code to the page for triggering event information to betransmitted to the intermediary server 120. For example, based on theconfigured third-party tools, the intermediary server 120 may analyzethe HTML of the page and determine component(s) in which to add atrigger. As an example, if the intermediary server 120 detects a buttonin the page, the intermediary server 120 may add an event listener(e.g., using CSS selectors) that transmits event information upon thatbutton being clicked. As another example, if the intermediary server 120detects a form submission in the page, the intermediary server 120 mayadd code to track the form submissions (e.g., using CSS selectors) totrigger an event when the form is submitted.

FIG. 4 is a flow diagram that illustrates exemplary operations forloading third-party tools on a website according to an embodiment. Theoperations of FIG. 4 occur after a third-party manager tool has beentransmitted to a client network application. For instance, theoperations of FIG. 4 occur after the intermediary server 120 transmitsthe third-party tool manager to the requesting client networkapplication 115. The client network application 115 executes thethird-party tool manager.

At operation 410, the intermediary server 120 receives information fromthe third-party tool manager that is used for loading the third-partytool(s). The information may include information collected from theclient device 110 and/or the client network application 115 that is notincluded in HTTP requests or cannot be derived from HTTP requests (e.g.,screen resolution, viewport size). The information may include eventinformation such as if a certain interaction occurred with the page(e.g., a particular button was clicked).

Next, at operation 415, the intermediary server 120 accesses thethird-party tool configuration that is applicable for the requested webpage. At operation 420, the intermediary server 120 scans theinformation received for a violation of a DLP rule included in thethird-party tool configuration. Example DLP rules include checking theinformation for an email address, name, social security number, phonenumber, or other personally identifiable information (PII). If a DLPrule is determined to be violated at operation 425, then flow moves tooperation 430 where the intermediary server 120 removes or obfuscatesthe violating information. The operator may also be notified (e.g.,email, text message) upon a violation and/or the violation logged. Flowthen moves to operation 435. If a DLP rule is determined to not beviolated at operation 425, then flow moves to operation 435.

The intermediary server 120 executes the configured third-party toolaccording to the configuration. Executing these third-party toolstypically includes sending event data to the third-party tool serversfor those tools (e.g., page views, button clicked, etc.). Theintermediary server 120 causes the event data to be transmitted to thethird-party tool servers. The intermediary server 120 may sendinformation directly to the third-party tool server if that serversupports server-to-server communication. If the third-party tool serverdoes not support server-to-server communication or it has not beenconfigured for a particular tool, then the intermediary server 120 mayconstruct the URL to which the client network application 115 is totransmit the information and an optimized client-side script thatreplicates the functionality of the original client-side script.

At operation 435, the intermediary server determines whether eventinformation for a third-party tool can be transmitted directly to thecorresponding third-party tool server. For instance, the intermediaryserver 120 looks up the configuration for the third-party tool anddetermines whether the corresponding third-party tool server supportsserver-to-server communication. If the event information can betransmitted directly, then at operation 440 the intermediary server 120transmits the event information to the third-party tool server. If theevent information cannot be transmitted directly to the third-party toolserver, then control moves to operation 445.

At operation 445, the intermediary server 120 prepares an eventreporting for the client network application 115 to transmit to theappropriate third-party tool server. For instance, the intermediaryserver 120 may construct a URL to which the client network application115 is to transmit the information, and an optimized client-side scriptthat replicates the functionality of the original client-side script.Next, at operation 450, the intermediary server 120 transmits theprepared event reporting to the client network application 115 to causethe client network application 115 to transmit the event to thethird-party tool server.

The intermediary server 120 may be part of a distributed cloud computingnetwork that includes multiple data centers that are geographicallydistributed. Each data center may include one or more intermediaryservers, one or more control servers, one or more DNS servers, and oneor more other pieces of networking equipment (e.g., routers, switches,hubs, etc.). The intermediary server(s), control server(s), and DNSserver(s) may be virtual instances running on the same physical deviceor may be separate physical devices. The data centers may begeographically distributed which decreases the distance betweenrequesting client devices and content.

In an embodiment, only an intermediary server that is in the same datacenter to which the client network application 115 connects is permittedto execute the third-party tools for websites accessed by the clientnetwork application 115. In such a case, if there is a violation of aDLP rule (e.g., PII information is scrubbed), that information may notbe transmitted outside of the data center (or a region to which the datacenter belongs) to the third-party tool provider.

In an embodiment, the configuration includes a setting that defines aspecific geographic location or region in which decryption of HTTPStraffic is permitted to occur.

FIG. 5 illustrates a block diagram for an exemplary data processingsystem 500 that may be used in some embodiments. One or more such dataprocessing systems 500 may be utilized to implement the embodiments andoperations described with respect to the intermediary server 120 and/orthe configuration server 150. Data processing system 500 includes aprocessing system 520 (e.g., one or more processors and connected systemcomponents such as multiple connected chips).

The data processing system 500 is an electronic device that stores andtransmits (internally and/or with other electronic devices over anetwork) code (which is composed of software instructions and which issometimes referred to as computer program code or a computer program)and/or data using machine-readable media (also called computer-readablemedia), such as machine-readable storage media 510 (e.g., magneticdisks, optical disks, read only memory (ROM), flash memory devices,phase change memory) and machine-readable transmission media (alsocalled a carrier) (e.g., electrical, optical, radio, acoustical or otherform of propagated signals—such as carrier waves, infrared signals),which is coupled to the processing system 520. For example, the depictedmachine-readable storage media 510 may store program code 530 that, whenexecuted by the processor(s) 520, causes the data processing system 500to execute the third-party controller 122, and/or any of the operationsdescribed herein.

The data processing system 500 also includes one or more networkinterfaces 540 (e.g., a wired and/or wireless interfaces) that allowsthe data processing system 500 to transmit data and receive data fromother computing devices, typically across one or more networks (e.g.,Local Area Networks (LANs), the Internet, etc.). The data processingsystem 500 may also include one or more input or output (“I/O”)components 550 such as a mouse, keypad, keyboard, a touch panel or amulti-touch input panel, camera, frame grabber, optical scanner, anaudio input/output subsystem (which may include a microphone and/or aspeaker), other known I/O devices or a combination of such I/O devices.Additional components, not shown, may also be part of the system 500,and, in certain embodiments, fewer components than that shown in One ormore buses may be used to interconnect the various components shown inFIG. 5 .

The techniques shown in the figures can be implemented using code anddata stored and executed on one or more electronic devices (e.g., aclient device, an intermediary server, a configuration server). Suchelectronic devices store and communicate (internally and/or with otherelectronic devices over a network) code and data using computer-readablemedia, such as non-transitory computer-readable storage media (e.g.,magnetic disks; optical disks; random access memory; read only memory;flash memory devices; phase-change memory) and transitorycomputer-readable communication media (e.g., electrical, optical,acoustical or other form of propagated signals—such as carrier waves,infrared signals, digital signals). In addition, such electronic devicestypically include a set of one or more processors coupled to one or moreother components, such as one or more storage devices (non-transitorymachine-readable storage media), user input/output devices (e.g., akeyboard, a touchscreen, and/or a display), and network connections. Thecoupling of the set of processors and other components is typicallythrough one or more busses and bridges (also termed as bus controllers).Thus, the storage device of a given electronic device typically storescode and/or data for execution on the set of one or more processors ofthat electronic device. Of course, one or more parts of an embodiment ofthe invention may be implemented using different combinations ofsoftware, firmware, and/or hardware.

In the preceding description, numerous specific details are set forth toprovide a more thorough understanding of embodiments. It will beappreciated, however, by one skilled in the art that embodiments can bepracticed without such specific details. In other instances, controlstructures, gate level circuits and full software instruction sequenceshave not been shown in detail in order not to obscure understanding.Those of ordinary skill in the art, with the included descriptions, willbe able to implement appropriate functionality without undueexperimentation.

References in the specification to “one embodiment,” “an embodiment,”“an example embodiment,” etc., indicate that the embodiment describedmay include a particular feature, structure, or characteristic, butevery embodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same embodiment. Further, when a particular feature,structure, or characteristic is described in connection with anembodiment, it is submitted that it is within the knowledge of oneskilled in the art to affect such feature, structure, or characteristicin connection with other embodiments whether or not explicitlydescribed.

Bracketed text and blocks with dashed borders (e.g., large dashes, smalldashes, dot-dash, and dots) may be used herein to illustrate optionaloperations that add additional features to embodiments of the invention.However, such notation should not be taken to mean that these are theonly options or optional operations, and/or that blocks with solidborders are not optional in certain embodiments of the invention.

In the preceding description and the claims, the terms “coupled” and“connected,” along with their derivatives, may be used. These terms arenot intended as synonyms for each other. “Coupled” is used to indicatethat two or more elements, which may or may not be in direct physical orelectrical contact with each other, co-operate or interact with eachother. “Connected” is used to indicate the establishment ofcommunication between two or more elements that are coupled with eachother.

While the flow diagrams in the figures show a particular order ofoperations performed by certain embodiments of the invention, such orderis exemplary (e.g., alternative embodiments may perform the operationsin a different order, combine certain operations, overlap certainoperations, etc.).

While the invention has been described in terms of several embodiments,those skilled in the art will recognize that the invention is notlimited to the embodiments described, can be practiced with modificationand alteration within the spirit and scope of the appended claims. Thedescription is thus to be regarded as illustrative instead of limiting.

What is claimed is:
 1. A method, comprising: receiving configuration forloading a plurality of third-party tools of a plurality of third-partytool providers for a website, wherein the received configurationincludes a data loss prevention rule; receiving, at an intermediaryserver from a client network application of a client device, a requestfor a page of the website, wherein the web site is hosted at an originserver; retrieving, by the intermediary server, the page; modifying, bythe intermediary server, the retrieved page by automatically including athird-party tool manager to the retrieved page, wherein the third-partytool manager includes a set of one or more client-side scripts that,when executed by the client network application of the client device,transmits information to the intermediary server for loading theplurality of third-party tools; receiving, from the client networkapplication via the third-party tool manager, information for loadingthe plurality of third-party tools; scanning the received informationand determining that there is a violation of the data loss preventionrule, and responsive to this determination, obfuscating data of thereceived information that is in violation of the data loss; loading theplurality of third-party tools based on the received informationincluding the obfuscated data and the configuration; and causing eventdata to be transmitted to a plurality of third-party tool servers thatcorrespond with the plurality of third-party tools.
 2. The method ofclaim 1, wherein causing event data to be transmitted to at least one ofthe plurality of third-party tool servers includes the intermediaryserver transmitting the event data to that third-party tool server usingan application programming interface (API) provided by the third-partytool server provider of that third-party tool.
 3. The method of claim 1,wherein causing event data to be transmitted to at least one of theplurality of third-party tool servers includes constructing a URL withthe event data to be transmitted to that third-party tool server andtransmitting an optimized client-side script to the client networkapplication that, when executed by the client network application,transmits the event data to that third-party tool server.
 4. The methodof claim 1, wherein the page does not include the plurality ofthird-party tools.
 5. The method of claim 1, wherein the receivedconfiguration includes a setting that defines a specific geolocation orregion in which decryption of traffic is permitted to occur.
 6. Themethod of claim 1, wherein the intermediary server is in a first datacenter, and wherein the first data center is one of a plurality of datacenters that each include a set of one or more intermediary servers, andwherein the received configuration includes a setting that defines thatonly an intermediary server that is located in a same data center towhich the client network application connects is permitted to load theplurality of third-party tools based on the received information and theconfiguration.
 7. The method of claim 1, wherein the receivedinformation includes a screen resolution of the client networkapplication.
 8. The method of claim 1, wherein the received informationis received as a result of a configured interaction occurring with thepage.
 9. A non-transitory machine-readable storage medium that providesinstructions that, if executed by a processor, will cause said processorto carry out operations comprising: receiving configuration for loadinga plurality of third-party tools of a plurality of third-party toolproviders for a website, wherein the received configuration includes adata loss prevention rule; receiving, at an intermediary server from aclient network application of a client device, a request for a page ofthe website, wherein the web site is hosted at an origin server;retrieving, by the intermediary server, the page; modifying, by theintermediary server, the retrieved page by automatically including athird-party tool manager to the retrieved page, wherein the third-partytool manager includes a set of one or more client-side scripts that,when executed by the client network application of the client device,transmits information to the intermediary server for loading theplurality of third-party tools; receiving, from the client networkapplication via the third-party tool manager, information for loadingthe plurality of third-party tools; scanning the received informationand determining that there is a violation of the data loss preventionrule, and responsive to this determination, obfuscating data of thereceived information that is in violation of the data loss; loading theplurality of third-party tools based on the received informationincluding the obfuscated data and the configuration; and causing eventdata to be transmitted to a plurality of third-party tool servers thatcorrespond with the plurality of third-party tools.
 10. Thenon-transitory machine-readable storage medium of claim 9, whereincausing event data to be transmitted to at least one of the plurality ofthird-party tool servers includes the intermediary server transmittingthe event data to that third-party tool server using an applicationprogramming interface (API) provided by the third-party tool serverprovider of that third-party tool.
 11. The non-transitorymachine-readable storage medium of claim 9, wherein causing event datato be transmitted to at least one of the plurality of third-party toolservers includes constructing a URL with the event data to betransmitted to that third-party tool server and transmitting anoptimized client-side script to the client network application that,when executed by the client network application, transmits the eventdata to that third-party tool server.
 12. The non-transitorymachine-readable storage medium of claim 9, wherein the page does notinclude the plurality of third-party tools.
 13. The non-transitorymachine-readable storage medium of claim 9, wherein the receivedconfiguration includes a setting that defines a specific geolocation orregion in which decryption of traffic is permitted to occur.
 14. Thenon-transitory machine-readable storage medium of claim 9, wherein theintermediary server is in a first data center, and wherein the firstdata center is one of a plurality of data centers that each include aset of one or more intermediary servers, and wherein the receivedconfiguration includes a setting that defines that only an intermediaryserver that is located in a same data center to which the client networkapplication connects is permitted to load the plurality of third-partytools based on the received information and the configuration.
 15. Thenon-transitory machine-readable storage medium of claim 9, wherein thereceived information includes a screen resolution of the client networkapplication.
 16. The non-transitory machine-readable storage medium ofclaim 9, wherein the received information is received as a result of aconfigured interaction occurring with the page.